In this article we will take a look how to configure The vRealize Automation plugin for ServiceNow . The Plug-in enables ServiceNow users to deploy virtual machines and perform day 2 actions on CMDB resources using vRealize Automation catalog and governance capabilities.

Navigate to the <installation_directory>/<mid server name>/agent directoryand edit the config.xml file as follows:
Find the <parameter name="url" value="https://YOUR_INSTANCE.service-now.com"/> element and change the value to the URL of your ServiceNow instance.
Enter the MID user credentials you created earlier in the mid.instance.username and mid.instance.password parameters.
Find the <parameter name="name" value="YOUR_MIDSERVER_NAME_GOES_HERE"/> element and change the value for the MID Server name. Use the same name you’ve used form the <mid_server_name> directory earlier.
(Optional) Enter connection information for the proxy server. Remove the appropriate comment tags from the proxy configuration information. For example, you can configure the mid.proxy.use_proxy, mid.proxy.host, mid.proxy.port, mid.proxy.username, and mid.proxy.password.
Save the config.xml file.

Execute the start.bat script.

Log in to the ServiceNow instance identified in the config.xml file.
Navigate to MID Server > Servers. Alternatively, if Discovery is installed, navigate to Discovery > MID Servers.

Verify that all MID Servers connected to this instance are listed.

Select the MID Server name and under Actions on selected rows… select validate.

The MID Server should now show as validated.

Configuring ADFS Integration with ServiceNow

This section covers how to configure ADFS Integration with ServiceNow.

Configuring SAML Single-Sign On in ServiceNow

Log in to your ServiceNow portal.
Navigate to System Definition > Plugins
In the search field type SSO.

Verify that the SSO Provided by Okta, inc plugin is active.

Configure properties for the ServiceNow identity provider.
As a ServiceNow system administrator, enter SAML in your Filter to navigate to the SAML Single SignOn.
Select Properties to configure SAML sign on properties.

Select the Enable external authentication check box.

Download an instance of the ADFS federation metadata file by entering the file URL in your browser: https://ADFS hostname/federationmetadata/2007-06/federationmetadata.xml

Open the ServiceNow federation metadata file that you downloaded, and use the appropriate information from the file to populate text boxes on the SAML 2.0 Single Sign-on properties page.

ServiceNow SAML Single Sign-on Setting

Example Value

The Identity Provider URL which will issue the SAML2 security token with user info.

http://ADFS host name/adfs/services/trust

The base URL to the Identity Provider’s AuthRequest service. The AuthRequest will be posted to this URL as the SAMLRequest parameter.

https://ADFS host name/adfs/ls/

The base URL to the Identity Provider’s SingleLogoutRequest service. The LogoutRequest will be posted to this URL as the SAMLRequest parameter.

https://ADFS host name/adfs/ls/?wa=wsignout1.0

The protocol binding for the Identity Provider’s SingleLogoutRequest (Values can be either "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".)

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect.
For most systems, you can accept the default.

SignLogoutRequest. Set this property to true if the Identity Provider’s SingleLogoutRequest service requires signed LogoutRequest.

Optional or leave blank.

URL to redirect users after logout, typically back to the portal that enabled the SSO (e.g. http://portal.vmware.com/logout)

external_logout_complete.do

Configure ServiceNow Service Provider properties.
Keep defaults for all fields not listed in the following table.

Property

Example

The URL for the ServiceNow instance home page.

https://ServiceNow instance name/navpage.do

The entity identification or the issuer

https://ServiceNow instance name

The audience uri that accepts SAML2 token.

https://ServiceNow instance name

The User table field to match the Subject’s NameID in the SAMLResponse.

email

The NameID policy to use for returning the Subject’s NameID in the SAMLResponse. The SAML identity provider must support this by declaring the policy in its metadata. The NameID value is used to match with the specified field in the User table to lookup the user.

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Click Save.

Configuring the SAML 2.0 Certificate for ServiceNow

Navigate to the IDPSSODescriptor KeyDescriptor signing x509Data section of the FederationMetadata.xml file.

Copy the certificate content from <X509Certificate> node in Federation|Metadata.xml file

Login to ServiceNow and navigate to SAML 2 Single Sign-on > Certificate.

Click on the SAML 2.0 certificate.

Paste the certificate you copied earlier between the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines.

Click Update.

Select again the SAML 2.0 certificate.

Click the Validate link at the bottom of page to validate your certificate.

Click the Metadata link in the SAML plug-in menu and copy the metadata content to an xml file: for instance, servicenowInstanceName-metadata.xml.

Configuring an ADFS Relying Party Trust with ServiceNow

This section covers how to configure ADFS Relying Party Trust with ServiceNow

Log in to your ADFS server by opening Administrative Tools and finding the ADFS console link.

Right-click on Relying Party Trust and select Add Relying Party Trust…

Click Start on the configuration wizard.

Select Import data about the relying party from a file on the Select Data Source page.
Import the ServiceNow metadata file that you copied and saved previously from the SAML configuration metadata section.

Click Next.

Enter the name for your ServiceNow instance in the Display text box on the Specify Display Name page.

Click Next.

On the configure Multifactor Authentication Now? Page click Next.

Select Permit all users to access this relying party on the Choose Issuance Authorization Rules page.

Click Next.

Click Next on the Ready to Add Trust page.

Click Close on the Finish page.

Configuring Claim Rules for ADFS ServiceNow Integration

When configuring ADFS integration for ServiceNow, you must set up the appropriate claim rules to control the behavior of incoming and outgoing claims.
This section covers how to configure Claim Rules for ADFS ServiceNow integration.

Right click the relying party trust that you created for ServiceNow, and select Edit Claims Rules.

Select Add Rule on the Issuance Transform Rules tab.

Select Send LDAP Attributes as Claims as the template for the claim rule to create.

Click Next.

Enter the name Get Email Attribute in the Claim rule name text box on the Configure Claim Rule wizard page.
Select Active Directory as the Attribute store.
Select the email addresses for LDAP attributes and the Outgoing Claim Type using the E-Mail Addresses drop-down in the Mapping of LDAP attributes to outgoing claim types section of the page.
Click OK.

Click Finish.

Select Add Rule.
You must add a rule that transforms the attributes received from LDAP in the Get Email Attribute rule into the desired SAML format.
Select Transform an Incoming Claim

Click Next.

Enter the name Transformation in the Claim rule name text box on the Configure Claim Rule wizard page.
Select E-Mail Address for the incoming claim type.
Select Name ID as the outgoing claim type.
Select Email as the outgoing name ID format.
Select Pass through all claim values.
Click Finish.
Click Apply.